When you configure two-factor authentication, you'll download and save your 2FA recovery codes. If you lose access to your phone, you can authenticate to GitHub using your recovery codes. You can also download your recovery codes at any point after enabling two-factor authentication.

To keep your account secure, don't share or distribute your recovery codes. We recommend saving them with a secure password manager, such as:

Once you use a recovery code to regain access to your account, it cannot be reused. If you've used all 16 recovery codes, you can generate another list of codes. Generating a new set of recovery codes will invalidate any codes you previously generated.

In the upper-right corner of any page, click your profile photo, then click Settings.

In the user settings sidebar, click Security.

Next to "Recovery codes," click Show.

To create another batch of recovery codes, click Generate new recovery codes.

With Recover Accounts Elsewhere, you can add an extra security factor to your GitHub account in case you lose access to your two-factor authentication method or recovery codes.

Recover Accounts Elsewhere lets you associate your GitHub account with your Facebook account. You can store an authentication credential in the form of an account recovery token for your GitHub account with Facebook.

If you lose access to your GitHub account because you no longer have access to your two-factor authentication method or recovery codes, you can retrieve your account recovery token from the recovery provider to help prove that you're the owner of your GitHub account.

After you retrieve your token, GitHub Support or GitHub Premium Support may be able to disable two-factor authentication for your account. Then, you can provide or reset your password to regain access to your account.

Your account recovery token is valid for a year or until you use it. If you retrieve your token or your token expires, you should generate and store a new token.

When you generate or retrieve an account recovery token, an event is added to your account's audit log. For more information, see "Reviewing your security log."

After you're redirected to Facebook, read the information about turning on account recovery with Facebook before you click Save as [YOUR NAME]. (If you save multiple tokens within a short period of time, Facebook may skip this confirmation step after you save your first token.)